A popular personality quiz app left more than 3 million Facebook users’ private information exposed on a vulnerable website for four years, according to an investigation by New Scientist.
Facebook users were encouraged to share personal and intimate details, like the results of a psychological test, with the app myPersonality. Academics working at the University of Cambridge then transferred the information to a website with “insufficient security provisions” where it remained for four years, according to the Monday report. During this time, outside parties could reportedly access this personal data with relative ease.
{mosads}Those who had access to the data would’ve been able to view 3.1 million users’ app scores that reveal personal characteristics about a particular individual, like their conscientiousness, agreeableness and neuroticism, according to the report.
Additionally, the app had collected data from “22 million status updates from over 150,000 users, alongside details such as age, gender and relationship status from 4.3 million people.”
Under the terms of use, the myPersonality team was allowed to use and distribute the data “in an anonymous manner such that the information cannot be traced back to the individual user,” but they took “poor precautions” to scrub identifying information like users’ names, New Scientist found.
In addition to the personality quiz results, the data also included a user’s age, gender, location and status updates. This information could’ve been used to re-identify a user, even if the individual’s name was scrubbed, New Scientist found.
To view the myPersonality data, one would have only needed to register as “a collaborator” on the project.
More than 280 people from roughly 150 institutions signed up as collaborators, including people working for tech companies like Facebook, Google, Microsoft and Yahoo, according to the report.
The credentials to the website were also floating around on the internet.
“For the last four years, a working username and password has been available online that could be found from a single web search. Anyone who wanted access to the data set could have found the key to download it in less than a minute,” the investigation found.
Academics as well as those working for large corporations could access the data if they abided by the data protection procedures.
Facebook suspended myPersonality from its platform last month, saying the app is under investigation for possibly violating its policies. The United Kingdom’s data watchdog told New Scientist that it is also investigating the matter.
David Stillwell and Michal Kosinski, who worked at the University of Cambridge’s Psychometrics Center, handled the data. Aleksandr Kogan, the professor at the center of the Cambridge Analytica scandal, also took part in the myPersonality project at one point, according to the report.
As many as 50 million Facebook users reportedly had their profiles harvested for data without their permission by Cambridge Analytica ahead of the 2016 presidential election.
Facebook suspended the firm, which was used by President Trump’s campaign.
Christopher Wylie, a whistleblower from the firm, said that Kogan had worked with Cambridge Analytica in obtaining the data. Kogan, however, has claimed he did not know the data was being used to target voters and that he is a scapegoat in the controversy.
Facebook announced Monday that is has suspended 200 apps so far as part of its review of data abuse following the Cambridge Analytica scandal. CEO Mark Zuckerberg promised earlier this year to conduct an audit of every app with access to large amounts of Facebook user data.